Test Yourself on Microsoft Exam #70-214

The scenario and questions provided here are for Microsoft’s exam #70-214, Implementing and Administering Security in a Windows 2000 Network. Because the exam includes numerous scenarios with related questions, I provide a scenario and some follow-on questions.

Scenario You are the lead domain administrator for Northamerica.Gunderville.com, which is a root domain that is part of a directory forest that also includes a parent root domain named Zandri.com.

Group and user membership for these root domains is limited to enterprise administrators and other select users. The OU organization for all other systems in the directory forest maps to branch offices and is subordinate to the Northamerica.Gunderville.com root domain. The OU organization includes elements named after states (CO for Connecticut, NY for New York and so forth) and sub-elements named after cities (New York City (NYC), Boston (BO), New Haven (NH), Hartford (HF), Wallingford (WF) and Albany (AB)) organized within their respective state-level OU containers.

Most clients run Windows 2000 Professional, with some leftover Windows 98 and Windows NT machines. All Windows 2000 Professional systems were deployed as new installations except those in the Hartford, Wallingford and Albany offices (some were upgraded from Windows 98, others from Windows NT 4.0 Professional).

1. You are a domain administrator for Northamerica.Gunderville.com, which belongs to the Windows 2000 Active Directory Forest described in the preceding scenario. You have full control of the entire OU hierarchy. You must make sure all desktop operating systems in that forest use the Hisecws.inf security template and supersede any settings that apply at the domain level. You are further asked to consider future growth of the company and not to effect changes any higher in the OU hierarchy than necessary.

From the following choices, select all steps necessary to complete this task properly. Choose the answers that allow you to perform your task with the least amount of administrative effort and that adhere to company policy.

A. Create a GPO using Hisecws.inf and link it to the Albany, NYC, Boston, New Haven, Hartford and Wallingford OUs. Block inheritance at the AB, NYC, BO, NH, HF and WF OUs. B. Block inheritance at the United States OU. Create a GPO using Hisecws.inf and link it to the Albany, NYC, Boston, New Haven, Hartford and Wallingford OUs. Block inheritance at the AB, NYC, BO, NH, HF and WF OUs. C. Create a GPO using Defltwk.inf and link it to the Hartford, Wallingford and Albany OUs. Place it above (at the top of the list) the GPO that was created with Hisecws.inf so that it runs first. D. Create a GPO using Basicwk.inf and link it to the Hartford, Wallingford and Albany OUs. Place it above (at the top of the list) the GPO that was created with Hisecws.inf so that it runs first. E. Create a GPO using Basicwk.inf and link it to the Albany OU. Place it above (at the top of the list) the GPO that was created with Hisecws.inf so that this GPO runs first.

2. You are a domain administrator for Northamerica.Gunderville.com, which belongs to the directory forest described in the preceding scenario. You have full control of the entire OU hierarchy. You must verify that all user rights are set so that they can access no more than is necessary to perform their day-to-day work.

Standard Windows 2000 deployments in the enterprise have no local users except the default administrator. You check with the lead domain administrator, and he states that he never checked accounts to match company standards. A series of accesses shows that something is amiss with group and account settings, but so far all incidents are localized to systems in the Hartford and Wallingford offices. You perform an inventory of systems in these locations and enumerate those clients whose local accounts must be removed from the administrators group.

What is the most likely reason this access problem occurred?

A. Enterprise administrators added certain accounts to the local system and placed them in the Administrators group. B. Until a GPO is created using Defltwk.inf, local users from an upgraded installation are placed in the local administrator group during the upgrade process. Once this GPO is configured and linked to these OUs, the last of the old settings from the previous operating system (local administrators) will be corrected. C. Until a GPO is created using Basic.inf, local users from an upgraded installation are placed in the local administrator group during the upgrade process. Once this GPO is configured and linked to these OUs, the last of the old settings from the previous operating system (local administrators) will be corrected. D. This is expected from an upgrade. These users must be removed from the local administrator group either by the local (default) administrator or a domain administrator.

3. You are a domain administrator for Northamerica.Gunderville.com, which belongs to the Windows 2000 Active Directory Forest described in the preceding scenario. You have full control of the entire OU hierarchy. You must review membership in the domain administrators group for Northamerica.Gunderville.com.

The following user accounts appear in the domain administrator group: MHOWARD, LFINE, CHOWARD, SHOWARD, JBESSER and JDERITA. Three of these, SHOWARD, JBESSER and JDERITA, do not belong there according to group membership documentation for the domain. You later discover they were added by an enterprise administrator.

You decide to enable Restricted Groups for the domain and add the users MHOWARD, LFINE and CHOWARD. Since the current standards are to administer everything at the organizational level, you need to get approval for this action and it is granted.

What is the outcome of your action?

A. Your attempt to perform this action will be denied because you lack the necessary rights as a domain administrator to cause a change that affects the schema for the forest. B. You enable the policy for the domain, and the users SHOWARD, JBESSER and JDERITA are removed from the domain administrators group for Northamerica.Gunderville.com. C. You enable the policy for the domain, and no new additions may be made to the domain administrators group by others. But those three unwanted users, SHOWARD, JBESSER and JDERITA, will remain in the group until you remove them manually. D. You cannot enable the policy while users that an enterprise administrator added remain members of the domain administrator group. You must remove them first manually.

Answers 1. Answer A is one of the correct answers. Effecting steps such as blocking inheritance at the United States OU level is not necessary since the case study mentioned that all client and end user administration is decentralized and performed at the OU level. Answer E is also a correct option. When Windows NT4 workstations are upgraded to Windows 2000 Professional, they won’t have the Default template applied as is done on an upgrade of a Windows 95 or 98 system. (This fact makes many of the other possible choices wrong. While there wouldn’t be any harm, technically speaking, to re-applying the basic template to the Hartford and Wallingford OUs, it is more administrative effort than is necessary.) In order to apply the Hisecws.inf template, you first need to apply the basic template to increase the security of these systems.

Security templates modify security settings incrementally. They do not include the default security settings because the assumption is that the default template is already in place. See Microsoft Knowledge Base Article 234926, Windows 2000 Security Templates Are Incremental, online at support.microsoft.com/default.aspx?scid=kb;en-us;3B234926.